Re: mod_auth_pam
On Tue, Jan 30, 2001 at 03:48:57PM -0300, Felipe Alvarez Harnecker wrote:
>
> Hi, i hope not to boring you, but i'm having trouble with
> mod_auth_pam.
>
> my /etc/pam.d/http
>
> auth required pam_unix.so debug
> account required pam_unix.so debug
Not sure about your error message, but pam_unix.so cannot be used under
mod_auth_pam. That's a shortcoming in this particular module. The basic
idea is that pam_unix.so will auth under two circumstances. One, running
with privs to read /etc/shadow (such as root, or sgid shadow), in which
it can directly auth. This is how login, su and passwd work.
The other method is for it to execute the helper application. This is
done when the current process does not have permissions to read
/etc/shadow (such as lockvt, apache, etc..). The problem here is that
the helper application, for security reasons, will only authenticate the
uid of the calling process. In the case of apache, that user would be
"www-data".
So you see, it cannot authenticate for say "joe". I'm pretty sure the
mod_auth_pam docs mention this, and possible workarounds.
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to:
- References:
- mod_auth_pam
- From: Felipe Alvarez Harnecker <felipe@qlsoft.cl>